Router reporting failed admin login attempts from home server

Posted by jeffora on Super User See other posts from Super User or by jeffora
Published on 2011-06-20T13:32:49Z Indexed on 2011/11/11 18:00 UTC
Read the original article Hit count: 263

I recently noticed in the logs of my home router that it relatively regularly lists the following entry:

[admin login failure] from source 192.168.0.160, Monday, June 20,2011 18:13:25

192.168.0.160 is the internal address of my home server, running Windows Home Server 2011. Is there anyway I can find out what specifically is trying to login to the router? Or is there some explanation for this behaviour? (not sure if this belongs here or on superuser...)

[Update] I've run both Wireshark and netmon for a while on my home server. Wireshark captured the traffic, but didn't really show anything useful (or nothing I could make use of). A simple HTTP GET request is sent from the server (192.168.0.160) to the router (192.168.0.1), from a seemingly random port (I've seen examples from 50068, 52883), and it appears to do it twice in quick succession (incrementing port by 1), about every hour. Running netstat around the time of the failure didn't show anything (probably too long after anyway).

I tried using netmon as it categorises by process, so I thought it might show a corresponding process for the port. Unfortunately, this comes in under the 'unknown' category, meaning it's basically just a slower, less useful Wireshark.

I know there's not much to go on here, but does this help in anyway?

© Super User or respective owner

Related posts about security

Related posts about router